05-26-2011 08:56 AM - edited 03-11-2019 01:38 PM
Hi guys
ive recently setup a EazyVPN on a cisco 3g router with a ASA5520. the tunnel comes up ok and the remote users can browse the net.
The problem is accessing the lan behind the ASA. when you do a show cry ipsec sa at the ASA you get the following: (ive replaced IP's with the names of the LAN/IP
Crypto map tag: DYN_MAP, seq num: 100, local addr: ASA IP ADD
local ident (addr/mask/prot/port): (LAN BEHIND ASA/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (LAN BEHIND 3G router/255.255.255.0/0/0)
current_peer: 3G Router IP, username: xxxxxx
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 249, #pkts decrypt: 249, #pkts verify: 249
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: ASA IP ADD/4500, remote crypto endpt.: 3G Router IP/40592
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 79BBD3C3
inbound esp sas:
spi: 0x483ABBD4 (1211808724)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 13179, crypto-map: DYN_MAP
sa timing: remaining key lifetime (sec): 27555
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x79BBD3C3 (2042352579)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 13179, crypto-map: DYN_MAP
sa timing: remaining key lifetime (sec): 27555
IV size: 16 bytes
replay detection support: Y
as you can see the packets are not encapsulating for some reason. On the 3G router its the opposite where the packets arent decapsulating. On a site to site VPN this is normally when the interesting traffic ACL is incorrect - but im baffled with this on an EazyVPN setup.
I have allowed the no nat statements on the router and the ASA -
any pointers?
thanks
05-26-2011 09:46 AM
can you provide config from both router and asa?
05-31-2011 02:11 AM
hi here is the config from the ASA
access-list 3GSplitTunnel extended permit ip 10.100.1.0 255.255.255.0 any
access-list 3Gtraffic extended permit ip 10.100.1.0 255.255.255.0 10.3.0.0 255.255.255.0
crypto ipsec transform-set TUNN_ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map DYN_MAP 100 set transform-set TUNN_ESP_AES_SHA
crypto dynamic-map DYN_MAP 100 set reverse-route
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 2147483
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
group-policy 3GPolicy internal
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 3GSplitTunnel
default-domain value xxx.com
nem enable
username cisco test password ciscotest
tunnel-group Sol3GRAGroup type ipsec-ra
tunnel-group Sol3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group Sol3GRAGroup ipsec-attributes
pre-shared-key *
and here is the config from the 3G router
crypto ipsec transform-set ezvpn-profile-0 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ezvpn-profile-1 esp-aes 256 esp-sha-hmac
username ciscotest password ciscotest
crypto ipsec profile EZVPN
set transform-set ezvpn-profile-0
crypto ipsec client ezvpn ASA
connect auto
group 3GRAGroup key 3gvpn
mode network-extension
ipsec-profile EZVPN
nat acl 102
username cisco test password ciscotest
xauth userid mode local
interface Cellular 0
no ip address
no shut
ip nat outside
encapsulation ppp
dialer in-band
dialer pool-member 2
dialer-group 2
async mode interactive
interface Vlan1
ip address 10.3.0.1 255.255.255.0
ip access-group 100 out
ip nat inside
crypto ipsec client ezvpn ASA inside
interface Dialer 1
ip address negotiated
ip nat outside
dialer pool 2
dialer string 3g
dialer persistent
dialer-group 2
!output omitted----
crypto ipsec client ezvpn ASA outside
ip nat inside source route-map EzVPN interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 deny ip 10.3.0.0 0.0.0.255 10.100.1.0 0.0.0.255
access-list 102 permit ip any any
route-map EzVPN permit 1
match address 102
06-01-2011 07:47 AM
did you enable nat-control on ASA?
If yes, did you configure NAT 0 to bypass vpn traffic from NAT?
You did not provide NAT confguration on ASA.
06-01-2011 08:38 AM
hi
i have managed to sort this - well kind of.
the problem seems to be with the routing of 10.0.0.0/8 subnet (which we use within our network and MPLS cloud)
when i change the the remote subnet to 192.168.166.0/24 or 172.16.166.0/24 it all works ok
06-01-2011 09:21 AM
Thanks. glad that you fixed it already.
Yeah, that could be an issue. In general, if you don't see encrypted count incrementing, you should check NAT and routing. Here, since you use overlapped IP range for remote vpn, so the traffic to vpn client might not be able to reach this ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide